Resolve NuGet warnings NU1902 and NU1903 by updating NuGet packages #709
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When restoring Nuget packages, dotnet restore will report the following warnings: warning NU1902: Package 'BouncyCastle.Cryptography' 2.2.1 has a known moderate severity vulnerability, GHSA-8xfc-gm6g-vgpv warning NU1903: Package 'MimeKit' 4.3.0 has a known high severity vulnerability, GHSA-gmc6-fwg3-75m5 warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, GHSA-447r-wph3-92pm warning NU1903: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, GHSA-447r-wph3-92pm warning NU1903: Package 'Microsoft.Extensions.Caching.Memory' 8.0.0 has a known high severity vulnerability, GHSA-qj66-m88j-hmgj warning NU1903: Package 'NuGet.Common' 6.3.1 has a known high severity vulnerability, GHSA-6qmf-mmc7-6c2p warning NU1903: Package 'NuGet.Protocol' 6.3.1 has a known high severity vulnerability, GHSA-6qmf-mmc7-6c2p warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, GHSA-8g4q-xg66-9fp4 warning NU1904: Package 'NuGet.Packaging' 6.3.1 has a known critical severity vulnerability, GHSA-68w7-72jg-6qpp warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, GHSA-7jgj-8wvc-jh57 warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, GHSA-cmhx-cq75-c4mj Reporting vulnerability warnings is a recent new feature of NuGet functionality. Updating the used NuGet packages to the latest offical released versions has resolved these warnings. NuGet packages that require .NET 9.0 are updated to the latest 8.x versions as updating TargetFramework to .NET 9.0 is considered out of scope of this PR. Remarks: - System.Text.Json is a transient package which requires an explicit PackageVersion as the actual package Microsoft.VisualStudio.Web.CodeGeneration.Design cannot be updated as it requires .NET 9.0. - Microsoft.Extensions.PlatformAbstractions is a legacy package and not longer maintained. The source files that had a reference to these packages has been removed. The actual code/test inside these files was not used. Reference: Executing: dotnet nuget why "DasBlog All.sln" System.Text.Json [net8.0] └─ DasBlog.Web (v8.0.0) └─ Microsoft.VisualStudio.Web.CodeGeneration.Design (v8.0.6) ├─ Microsoft.DotNet.Scaffolding.Shared (v8.0.6) └─ Microsoft.CodeAnalysis.CSharp.Features (v4.8.0) └─ Microsoft.CodeAnalysis.Features (v4.8.0) └─ System.Text.Json (v7.0.3) <= Has vulnerability Executing: dotnet nuget why "DasBlog All.sln" System.Net.Http [net8.0] └─ Microsoft.Extensions.PlatformAbstractions (v1.1.0) <= This package has been deprecated as it is legacy and is no longer maintained. (aspnet/Announcements#237) └─ NETStandard.Library (v1.6.1) └─ System.Net.Http (v4.3.0) <= Has vulnerability Executing: dotnet nuget why "DasBlog All.sln" System.Text.RegularExpressions [net8.0] └─ Microsoft.Extensions.PlatformAbstractions (v1.1.0) <= This package has been deprecated as it is legacy and is no longer maintained. (aspnet/Announcements#237) └─ NETStandard.Library (v1.6.1) ├─ System.Text.RegularExpressions (v4.3.0) ├─ System.Xml.ReaderWriter (v4.3.0) │ └─ System.Text.RegularExpressions (v4.3.0) <= Has vulnerability └─ System.Xml.XDocument (v4.3.0) └─ System.Xml.ReaderWriter (v4.3.0) └─ System.Text.RegularExpressions (v4.3.0) <= Has vulnerability
|
@vbaderks Many thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When restoring Nuget packages, dotnet restore will report the following warnings:
Reporting vulnerability warnings is a recent new feature of NuGet functionality. Updating the used NuGet packages to the latest official released versions has resolved these warnings.
NuGet packages that require .NET 9.0 are updated to the latest 8.x versions as updating TargetFramework to .NET 9.0 is considered out of scope of this PR.
Remarks:
Reference: